CfContent restricted to a folder

Question

The application keeps the daily reports in a shared path. Our application generates the URL linking it to the excels like

http://application/ExcelTask/Index.cfm?type=Report&fileName=Report_Mar2014.xlsx

with the cfm code as

<cfif FileExists("#filePath#")> 
    <cfheader name="Content-Disposition" value="inline; filename=""#URL.fileName#"""> 
        <cfcontent type="application/vnd.ms-excel" file="#filePath#">
</cfif>

What we have found out if the users are aware of our directory structure the cfm files can be downloaded using the URL injection like

http://application/ExcelTask/Index.cfm?type=../ExcelTask&fileName=Index.cfm

I can add a condition to only allow files of type xls and xlsx only but that looks like a Plan B.

Any ideas how to restrict the folder access?

You should be validating that the `type` variable is only expected values (i.e. allowed folder names) and that filename never contains path traversal characters (i.e. consecutive dots or slashes). — Peter Boughton, Mar 27 '14 at 09:48

Henry · Accepted Answer · 2014-03-27T04:58:26.743

4

Use basic data sanitization skills to both clean and validate your URL.type and URL.filename.

some replaceAll code to eliminate ../, or
try isValid("regex", some regex pattern...)

You can also validate against the session whether the current logged in user has the write to view/download the file for extra protection.

edited Mar 27 '14 at 04:58

answered Mar 27 '14 at 01:03

Henry

32,689
19
120
221

Thanks Henry. If folder restriction is not an option, I would use the data sanitation techniques instead. Thanks for confirming. – Gaurav S Mar 27 '14 at 04:54

CfContent restricted to a folder

1 Answers1